International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

INT-RUP Secure Lightweight Parallel AE Modes

Authors:
Avik Chakraborti , NTT Secure Platform Laboratories, Tokyo, Japan
Nilanjan Datta , Indian Statistical Institute, Kolkata, India
Ashwin Jha , Indian Statistical Institute, Kolkata, India
Cuauhtemoc Mancillas-López , Department of Computer Science, CINVESTAV-IPN, México City, Mexico
Mridul Nandi , Indian Statistical Institute, Kolkata, India
Yu Sasaki , NTT Secure Platform Laboratories, Tokyo, Japan
Download:
DOI: 10.13154/tosc.v2019.i4.81-118
URL: https://tosc.iacr.org/index.php/ToSC/article/view/8454
Search ePrint
Search Google
Abstract: Owing to the growing demand for lightweight cryptographic solutions, NIST has initiated a standardization process for lightweight cryptographic algorithms. Specific to authenticated encryption (AE), the NIST draft demands that the scheme should have one primary member that has key length of 128 bits, and it should be secure for at least 250 − 1 byte queries and 2112 computations. Popular (lightweight) modes, such as OCB, OTR, CLOC, SILC, JAMBU, COFB, SAEB, Beetle, SUNDAE etc., require at least 128-bit primitives to meet the NIST criteria, as all of them are just birthday bound secure. Furthermore, most of them are sequential, and they either use a two pass mode or they do not offer any security when the adversary has access to unverified plaintext (RUP model). In this paper, we propose two new designs for lightweight AE modes, called LOCUS and LOTUS, structurally similar to OCB and OTR, respectively. These modes achieve notably higher AE security bounds with lighter primitives (only a 64-bit tweakable block cipher). Especially, they satisfy the NIST requirements: secure as long as the data complexity is less than 264 bytes and time complexity is less than 2128, even when instantiated with a primitive with 64-bit block and 128-bit key. Both these modes are fully parallelizable and provide full integrity security under the RUP model. We use TweGIFT-64[4,16,16,4] (also referred as TweGIFT-64), a tweakable variant of the GIFT block cipher, to instantiate our AE modes. TweGIFT-64-LOCUS and TweGIFT-64-LOTUS are significantly light in hardware implementation. To justify, we provide our FPGA based implementation results, which demonstrate that TweGIFT-64-LOCUS consumes only 257 slices and 690 LUTs, while TweGIFT-64-LOTUS consumes only 255 slices and 664 LUTs.
Video from TOSC 2020
BibTeX
@article{tosc-2020-30088,
  title={INT-RUP Secure Lightweight Parallel AE Modes},
  journal={IACR Transactions on Symmetric Cryptology},
  publisher={Ruhr-Universität Bochum},
  volume={2019, Issue 4},
  pages={81-118},
  url={https://tosc.iacr.org/index.php/ToSC/article/view/8454},
  doi={10.13154/tosc.v2019.i4.81-118},
  author={Avik Chakraborti and Nilanjan Datta and Ashwin Jha and Cuauhtemoc Mancillas-López and Mridul Nandi and Yu Sasaki},
  year=2020
}